SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT 29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 56 ff15???????? 8d85effdffff 6a00 50 6a00 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8d85effdffff         | lea                 eax, [ebp - 0x211]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_1 = { 09c0 0f85e1000000 68???????? 68???????? 6a01 6a00 }
            // n = 6, score = 200
            //   09c0                 | or                  eax, eax
            //   0f85e1000000         | jne                 0xe7
            //   68????????           |                     
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_2 = { 5e c9 c20c00 55 89e5 60 8b7508 }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   60                   | pushal              
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_3 = { 894510 837d1400 7413 8b4510 }
            // n = 4, score = 200
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   7413                 | je                  0x15
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_4 = { e8???????? 83c408 3245f8 5a 8845f6 31c0 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   3245f8               | xor                 al, byte ptr [ebp - 8]
            //   5a                   | pop                 edx
            //   8845f6               | mov                 byte ptr [ebp - 0xa], al
            //   31c0                 | xor                 eax, eax

        $sequence_5 = { 8d8dfcfbffff 50 6819000200 6a00 51 ffb5f4fbffff }
            // n = 6, score = 200
            //   8d8dfcfbffff         | lea                 ecx, [ebp - 0x404]
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ffb5f4fbffff         | push                dword ptr [ebp - 0x40c]

        $sequence_6 = { c1e802 89433c 8b45fc 894334 8b4df8 c1e902 }
            // n = 6, score = 200
            //   c1e802               | shr                 eax, 2
            //   89433c               | mov                 dword ptr [ebx + 0x3c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   894334               | mov                 dword ptr [ebx + 0x34], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e902               | shr                 ecx, 2

        $sequence_7 = { 8a141f 88e3 8a341f c1ca10 8916 }
            // n = 5, score = 200
            //   8a141f               | mov                 dl, byte ptr [edi + ebx]
            //   88e3                 | mov                 bl, ah
            //   8a341f               | mov                 dh, byte ptr [edi + ebx]
            //   c1ca10               | ror                 edx, 0x10
            //   8916                 | mov                 dword ptr [esi], edx

        $sequence_8 = { c74310fedcba98 c7431476543210 5b c9 c3 55 89e5 }
            // n = 7, score = 200
            //   c74310fedcba98       | mov                 dword ptr [ebx + 0x10], 0x98badcfe
            //   c7431476543210       | mov                 dword ptr [ebx + 0x14], 0x10325476
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp

        $sequence_9 = { 01ce 56 e8???????? 01ce 31c0 ac 3c01 }
            // n = 7, score = 200
            //   01ce                 | add                 esi, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   01ce                 | add                 esi, ecx
            //   31c0                 | xor                 eax, eax
            //   ac                   | lodsb               al, byte ptr [esi]
            //   3c01                 | cmp                 al, 1

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules